top of page
  • Writer's pictureTim Burns

When a Secret is No Longer a Secret

Least Privilege on Shared Systems

Photo by Ben White on Unsplash

Extending secure access on a heterogeneous system can be complex. One component of the system may have access to a secret, but another may not. And, of course, when a secret gets out, it isn't a secret anymore.

I'm designing a secret system on a third-party data integration tool and I ran across this article.

Important takeaways:

  • Encrypt secrets

  • Without giving containers and services an identity, it is not possible to protect and restrict access to secrets with access control policies

  • Give identity to only the project that needs the resource, not the whole environment

  • Use ephemeral resources to pass secrets (like environment variables)

  • Give the ephemeral resources hard-to-guess names - MY_SECRET:(some md5 hash)

  • Keep track of who knows your secrets

11 views0 comments

Recent Posts

See All


bottom of page